[NXP-28456] New implementation for the encrypted (AES) blob provider - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 10.10-HF21, 11.1, 2021.0
Component/s: BlobManager

Release Notes Summary:
A new implementation for the encrypted (AES) blob provider is available.
Tags:
Backlog priority:
700
Upgrade notes:
Hide

A new blob provider org.nuxeo.ecm.core.blob.AESBlobProvider is available.

It has the same configuration properties as the old org.nuxeo.ecm.core.blob.binary.AESBinaryManager.

To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons).

The blob provider configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2.

For keystore use, the following properties are available:

keyStoreType: the keystore type, for instance JCEKS

keyStoreFile: the path to the keystore, if applicable

keyStorePassword: the keystore password

keyAlias: the alias (name) of the key in the keystore

keyPassword: the key password

And for PBKDF2 use:

password: the password

In addition, the following property may be specified to define where the encrypted blobs are stored:

path: the filesystem path for the storage (if relative, under nxserver/data). The default is binaries.

For backward compatibility, the encryption properties can also be included in the <property name="key">prop1=value1,prop2=value2,...</property> of the blob provider configuration.
Show
A new blob provider org.nuxeo.ecm.core.blob.AESBlobProvider is available. It has the same configuration properties as the old org.nuxeo.ecm.core.blob.binary.AESBinaryManager . To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons). The blob provider configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2. For keystore use, the following properties are available: keyStoreType : the keystore type, for instance JCEKS keyStoreFile : the path to the keystore, if applicable keyStorePassword : the keystore password keyAlias : the alias (name) of the key in the keystore keyPassword : the key password And for PBKDF2 use: password : the password In addition, the following property may be specified to define where the encrypted blobs are stored: path : the filesystem path for the storage (if relative, under nxserver/data ). The default is binaries . For backward compatibility, the encryption properties can also be included in the <property name="key">prop1=value1,prop2=value2,...</property> of the blob provider configuration.
Sprint:
nxFG 11.1.11

Description

When using an encrypted binary manager like AESBinaryManager is used, temporary files are created in $DATA/binaries/tmp with the clear version of the files

-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_1408218792246778164.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_1632870049031419390.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_224213507322968208.tmp
-rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:22 nxserver/data/binaries/tmp/bin_236964128159098082.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:22 nxserver/data/binaries/tmp/bin_3666157129495999547.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_3863882643970085669.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:08 nxserver/data/binaries/tmp/bin_6265926432627041060.tmp
-rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:09 nxserver/data/binaries/tmp/bin_7113531504103435431.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 15:57 nxserver/data/binaries/tmp/bin_7791077638803292109.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:09 nxserver/data/binaries/tmp/bin_7839008301594541886.tmp
-rw-rw-r-- 1 nuxeo nuxeo 34960 Oct 29 16:22 nxserver/data/binaries/tmp/bin_8278480127780447852.tmp
-rw-rw-r-- 1 nuxeo nuxeo 24665 Oct 29 16:22 nxserver/data/binaries/tmp/bin_9138390679702223470.tmp

These files are not deleted immediately and sometimes remains in the tmp folder for a very long time. This is due to the usage of Framework.trackFile

I've observed that some files remains even if I perform a full GC.

Can't we find a more robust way of deleting these temporary files?

Attachments

Issue Links

depends on

NXP-28276 Refactor blob providers infrastructure for more flexibility

Resolved

NXP-15106 AES Binary Store Encryption

Resolved

is required by

NXP-27650 Delete nuxeoImageTarget files after picture transformations

Resolved

NXP-28817 Fix TestAESBlobStore random failure

Resolved

Is referenced in

PR for master: #4165

PR for master: #4294

(1 Is referenced in)

Activity

People

Assignee:

Florent Guillaume

Reporter:

Thierry Martins

Participants:

Anahide Tchertchian, Florent Guillaume, Jenkins, Support Tech User, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

2019-10-29 16:25

Updated:

2020-12-17 16:33

Resolved:

2020-01-20 14:01

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: